If the OEMs are choosing to sign off on the OS and be the gatekeeper for core system updates, then they effectively own the security flaws and they should be held responsible for defects in their product. To me, this is a consumer protection issue.